The Problem with Overnight Experts

Today's Example: Robert 'Bobby' Siciliano

Jericho

Mon Nov 12 17:55:42 CST 2012

The term "expert" does not have a strict definition. There is no precise time frame or point
in time where one moves from layperson to expert. According
to Merriam-Webster, an expert is someone "having, involving, or displaying special skill or
knowledge derived from training or experience". Of course, "special" in that context does not
have a strict definition either. Turning
to Wikipedia, the site begins by defining an expert as "someone widely recognized as a reliable source of
technique or skill whose faculty for judging or deciding rightly, justly, or wisely is accorded authority
and status by their peers or the public in a specific well-distinguished domain". That is a little
more descriptive and allows us to set criteria for the word.

Personally, I have never liked the term expert, because it is entirely too subjective. Someone with 5 years of experience
will look like an expert compared to a 2 year rookie. Both will look like rookies to a person with 20 years
of experience and training. That said, I do know an expert when I interact with one in the right setting.
A person becomes an expert in a field through having an inherent ability to learn and sufficient time and exposure
to the field to do that learning. As someone who has contributed
heavily to the Errata project's charlatan page, I am fairly well versed
at spotting people who are not experts. A frequent tell-tale sign of someone who may claim to be an expert
but is not, is the 'overnight' phenomenon. One day they are flipping burgers, the next they are
a counter-terrorism expert.

We've seen this in the past, not only with individuals, but companies. For example,
the company mi2g claimed
to be a security intelligence firm at one point, when their history was centered around
running a forum on automobiles. Today's example of an overnight expert comes in the form of one individual, Robert Siciliano. You
can read his
Wikipedia page for some background and links to his sites. Robert, or Bobby as we
have affectionately called him for years, has a very unclear start date for his involvement
in any form of professional security. Based on his bio and some emails many
years back, he appears to have been the victim of identity theft, and then overnight became
an expert on identity theft, ultimately on protecting yourself from it. I qualify that because Bobby's expertise
also suffers from expertise creep. He morphs from personal security, to identity theft, to
computer security over the last 7 years, all the while saying he isn't an expert in some
aspects of security. Comparing his bio on various sites, you begin to see this expertise
creep:

"Robert Siciliano is a personal security and identity theft expert with more than 25 years of experience in
security work, white-collar crime prevention, and self-defense. He is a television news correspondent, security analyst,
Certified Identity Theft Risk Management Specialist, CEO of..." - examiner.com

"Siciliano was motivated to enter the personal security field over two decades ago upon being a victim of
theft and violence and seeing crime all around him." - robertsiciliano.com

"Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published
author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an
advisor on product launches, branding, messaging, representation, SEO and media." - nextadvisor.com

"Robert Siciliano is an expert on business security, personal safety and identity theft. With 25 years of experience, Mr. Siciliano has been researching
and keeping in tune on how to avoid assaults and prevent fraud." - securityforsmallbusiness.com

Expert on personal security, identity theft, social media, startups, and even
quoted
as a 'computer security expert' recently. This goes back to the definition
of 'expert' though; in one
bio, he says he has "25 years of security training as a member of the American Society of Industrial Security".
There is a difference between 25 years of training, and 25 years of working in an industry. I also have serious doubts if
that 'society' taught all the disciplines mentioned above. Even better, we get a real glimpse into
this amazing morphing and expertise creep from the
bio on his own site:

"Siciliano has been surrounded by fraud throughout his entire life. Growing up in Boston provided numerous options for 'earning' through
fraudulent scams. However committing criminal acts never interested him. What has always had Robert's attention is how
brilliant the criminal "hackers" or more appropriately termed "crackers" are who perpetrate those crimes."

Huh?! Growing up in Boston, he had numerous options for 'earning' through fraudulent scams. This
sounds like the stereotypical Boston southie kid who had few options other than running
street scams and hustling. Yet he immediately turns this around and calls that fraud, or
directly associates it with, the activity carried out by 'hackers' or 'crackers'. There is
a considerable gap between running a game of Three-Card Monte and stealing someone's
identity by hacking a web site.

More Insight into Bobby's History

As mentioned above, several attrition.org staff members have contacted Bobby
over the years. Originally, it was because he seemed like a good guy, but misguided
on the entire computer security thing. Rather than immediately publish an article crying
'fraud', the mails were designed to steer him in the right direction. Despite him
being nominated as a possible charlatan as far back as 2006, we wanted to give
him a fair shot to learn and grow. For several years, it seemed like he took that
to heart, and walked a wobbly line that occasionally brought him close to the
'fraud' status. Some of this history may seem unfair at first; we all know
journalists can get things wrong. However, keep this in mind as you read further
and ultimately see the same excuse applied to mistakes for the last 7 years.

In October, 2006, a Douglas
Dispatch article quoted Bobby as a "former FBI agent" and "former government agent". This was one of the first
times we interacted with him. In response to our mails sent shortly after
the article was published, Bobby said "... this is a false statement by a reporter
who was misinformed. I'm not a former fbi agent or government agent.
My clients sponsor introduced me as that." We wrote this off as an honest
mistake, based on first-hand experience with journalists. In the dialogue
that continued with Bobby, he made several other points that are relevant
to this article:

I know a few more things than most regarding information security and basic
computer security that allows me to pass the information on in a responsible
manner.

[..>

I have 20 years in numerous professions regarding personal security. I've
been surrounded by rape victims since I was 13. And at 17 years old when 5
guys drop you to the ground and kick you till your shit rolls up your back
and you spend the rest of your life preventing that from happening to anyone
else and it becomes your every thought and breath, then, yes, after you
write 3 books on it, in some circles you are considered a "national personal
security expert"

[..>

I'm not selling crap. I'm not inflating my qualifications. I'm not claiming
anything I'm not qualified too. And I'm not hurting or deceiving anyone. The
last thing I want is conflict with you or anyone. I appreciate you being a
"watch dog", We're on the same team. I fight for truth every day.

This seems like a pretty honest and well-intentioned desire. We took
him at his word and moved on. He later told us that the FBI reference
came from a previous misunderstanding, that was not his fault:

When I began my presentation the person introducing me, introduced me as
former FBI, when she did, I hadn't actually gone on stage due to an audio
visual issue, I was initially shocked by her comment, but again, there was a
2-3 minute delay before I actually went on stage. By that time I forgot she
said it and I didn't offer clarification, which I should have. The whole
beginning of my program was a cluster F due to a miscommunication in my
start time. I was scheduled to start at 8:30 and I walked in at 8am to set
up and everyone was waiting for me to start at 8am. My contract says start
8:30.

Not his fault, got it? Months later, in March, 2007, we ran across
another
article quoting Bobby that got our attention. The article
goes on to say "Siciliano bills himself as an unofficial spokesman of MyLaptopGPS, a
Stillwater, Okla.-based company that sells laptop-tracking software which
allows users to remotely track and remove sensitive data when the stolen
laptop connects to the Internet". We asked him about the 'unofficial spokesman'
bit, since that was very specific and not something that a journalist would
likely come up with on their own. Once again, this was not Bobby's fault:

I've not billed myself unofficial spokesman. Those are not my words.
[attrition] you must know the one reported on doesn't have control of the reporter.
We can manage what we say, but not what is printed.

See, it's the reporter's fault again. In October, 2006, Bobby
specifically told us "I've never uttered the words or claimed being and [sic]
expert publicly or privately in the field of 'computer related information security'".
Very clear, on that day, he specifically said he was not a computer security
expert. Jump to June, 2007, and we
see a different story, as Bobby is specifically quoted on 'computer security'.
Eight whole months passed before he became a 'computer security' expert.

Between the overnight phenomenon and the expertise creep, it is clear that
Bobby does excel at social media to some degree (not counting his very lame
attempt at justifying Twitter follower purchases). He has a knack for getting
quoted in the media, including making appearances on Fox and other TV outlets.

The Latest and Greatest

Why now? Why write this rant some six years after our first encounter
with him? Because Bobby has done it yet again, and it isn't his fault, he will
most certainly pinkie swear. The problem is that while he is foaming at the mouth
saying it isn't his fault, he is completely missing the point. First, he doesn't
know shit about computer security despite his claims. Second, while he is
pawning blame on his 'assistant', he doesn't see the three years of the exact
same thing being done as an issue. When I say the exact same thing, I mean
the exact same article that he has regurgitated ad nauseum.

Earlier today, an article appeared on InfosecIsland by Bobby, titled
"SQL Injection Attacks Targeting Small Business" (now 404, screenshot).
If you read the article, you will immediately see serious flaws if you aren't
rolling on the ground gasping for breath. SQL injection is not a virus,
SQLi attacks are still primarily used for stealing data, and updating your
operating system will do absolutely nothing to protect you from these
attacks. It is abundantly clear that Robert Siciliano
is not an expert on computer security. When challenged
on this article, Bobby promptly replied blaming someone else:

To better frame this reply and rant, and to be absolutely clear,
Bobby says his 'admin' somehow mixed two posts and accidentally posted this
article. Got it? Good!

This is 100%, absolute BULLSHIT. Bobby is lying to me, and
to a dozen others, and it is trivial
to prove. This exact same article, word for word, appears in other places months
prior:

When I challenged Bobby on this point, asking if this same 'administrative error'
led to it being done on more than one site, over the span of three months, he
once again blamed someone else, and chalked it up to his "well oiled machine":

Bobby; SQL injection is not a virus in any form of the word. It is a bug, that is more specifically
referred to as a vulnerability, kudos to getting that part right. Like your expertise creep,
your article also creeps from SQL injection to 'drive-by' attacks, which SQL injection is
not. You say "The unsuspecting PC user surfs an infected site and bam, code is injected onto
their PC and they are infected." No, that is not how SQL injection works, at all.
Who will you blame for this glaring fuckup? Hint: check your local mirror.

The biggest point here Bobby, is that it is completely irrelevant who posted the article.
Even if it did get 'mashed together', you clearly wrote incredibly naive and inaccurate
statements and posted them as far back as 2009. You have since posted the same article, and same
inaccurate statements a dozen times over. In three years, if this was truly an 'administrative
error', you would have caught it. The fact that no reader left you feedback about the
accuracy of your article emphasizes just how dangerous you are. Despite your noble
intentions of educating people, you are talking to end users who don't know the difference between a hard drive
and malware. You are not doing them a service, you are hurting them.

Copyright 2012 by Jericho. Permission is granted to quote, reprint or redistribute provided the
text is not altered, appropriate credit is given and a link to the original copy is included.

Should you feel generous, please donate a couple of bucks to any 501(c)(3) non-profit that benefits animals or computer security on my behalf.